[gentoo-commits] gentoo-x86 commit in dev-python/pyxdg/files: sec-patch-CVE-2014-1624.patch - gentoo-commits

From:	"Ian Delaney (idella4)" <idella4@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in dev-python/pyxdg/files: sec-patch-CVE-2014-1624.patch
Date:	Wed, 26 Mar 2014 07:45:59
Message-Id:	`20140326074551.EB2D72004F@flycatcher.gentoo.org`

1

idella4     14/03/26 07:45:51

2

3

  Added:                sec-patch-CVE-2014-1624.patch

4

  Log:

5

  add sec patch wrt Bug #498934, rm old

6

7

  (Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0xB8072B0D)

8

9

Revision  Changes    Path

10

1.1                  dev-python/pyxdg/files/sec-patch-CVE-2014-1624.patch

11

12

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-python/pyxdg/files/sec-patch-CVE-2014-1624.patch?rev=1.1&view=markup

13

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-python/pyxdg/files/sec-patch-CVE-2014-1624.patch?rev=1.1&content-type=text/plain

14

15

Index: sec-patch-CVE-2014-1624.patch

16

===================================================================

17

Improve security of get_runtime_dir(strict=False) 

18

https://github.com/takluyver/pyxdg/commit/bd999c1c3fe7ee5f30ede2cf704cf03e400347b4

19

diff --git a/xdg/BaseDirectory.py b/xdg/BaseDirectory.py

20

index cececa3..a7c31b1 100644

21

--- a/xdg/BaseDirectory.py

22

+++ b/xdg/BaseDirectory.py

23

@@ -25,7 +25,7 @@

24

 Note: see the rox.Options module for a higher-level API for managing options.

25

"""

26

27

-import os

28

+import os, stat

29

30

 _home = os.path.expanduser('~')

31

 xdg_data_home = os.environ.get('XDG_DATA_HOME') or \

32

@@ -131,15 +131,30 @@ def get_runtime_dir(strict=True):

33

34

         import getpass

35

         fallback = '/tmp/pyxdg-runtime-dir-fallback-' + getpass.getuser()

36

+        create = False

37

+

38

         try:

39

-            os.mkdir(fallback, 0o700)

40

+            # This must be a real directory, not a symlink, so attackers can't

41

+            # point it elsewhere. So we use lstat to check it.

42

+            st = os.lstat(fallback)

43

         except OSError as e:

44

             import errno

45

-            if e.errno == errno.EEXIST:

46

-                # Already exists - set 700 permissions again.

47

-                import stat

48

-                os.chmod(fallback, stat.S_IRUSR|stat.S_IWUSR|stat.S_IXUSR)

49

-            else: # pragma: no cover

50

+            if e.errno == errno.ENOENT:

51

+                create = True

52

+            else:

53

                 raise

54

-

55

+        else:

56

+            # The fallback must be a directory

57

+            if not stat.S_ISDIR(st.st_mode):

58

+                os.unlink(fallback)

59

+                create = True

60

+            # Must be owned by the user and not accessible by anyone else

61

+            elif (st.st_uid != os.getuid()) \

62

+              or (st.st_mode & (stat.S_IRWXG | stat.S_IRWXO)):

63

+                os.rmdir(fallback)

64

+                create = True

65

+

66

+        if create:

67

+            os.mkdir(fallback, 0o700)

68

+

69

         return fallback

1	idella4 14/03/26 07:45:51
2
3	Added: sec-patch-CVE-2014-1624.patch
4	Log:
5	add sec patch wrt Bug #498934, rm old
6
7	(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0xB8072B0D)
8
9	Revision Changes Path
10	1.1 dev-python/pyxdg/files/sec-patch-CVE-2014-1624.patch
11
12	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-python/pyxdg/files/sec-patch-CVE-2014-1624.patch?rev=1.1&view=markup
13	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-python/pyxdg/files/sec-patch-CVE-2014-1624.patch?rev=1.1&content-type=text/plain
14
15	Index: sec-patch-CVE-2014-1624.patch
16	===================================================================
17	Improve security of get_runtime_dir(strict=False)
18	https://github.com/takluyver/pyxdg/commit/bd999c1c3fe7ee5f30ede2cf704cf03e400347b4
19	diff --git a/xdg/BaseDirectory.py b/xdg/BaseDirectory.py
20	index cececa3..a7c31b1 100644
21	--- a/xdg/BaseDirectory.py
22	+++ b/xdg/BaseDirectory.py
23	@@ -25,7 +25,7 @@
24	Note: see the rox.Options module for a higher-level API for managing options.
25	"""
26
27	-import os
28	+import os, stat
29
30	_home = os.path.expanduser('~')
31	xdg_data_home = os.environ.get('XDG_DATA_HOME') or \
32	@@ -131,15 +131,30 @@ def get_runtime_dir(strict=True):
33
34	import getpass
35	fallback = '/tmp/pyxdg-runtime-dir-fallback-' + getpass.getuser()
36	+ create = False
37	+
38	try:
39	- os.mkdir(fallback, 0o700)
40	+ # This must be a real directory, not a symlink, so attackers can't
41	+ # point it elsewhere. So we use lstat to check it.
42	+ st = os.lstat(fallback)
43	except OSError as e:
44	import errno
45	- if e.errno == errno.EEXIST:
46	- # Already exists - set 700 permissions again.
47	- import stat
48	- os.chmod(fallback, stat.S_IRUSR\|stat.S_IWUSR\|stat.S_IXUSR)
49	- else: # pragma: no cover
50	+ if e.errno == errno.ENOENT:
51	+ create = True
52	+ else:
53	raise
54	-
55	+ else:
56	+ # The fallback must be a directory
57	+ if not stat.S_ISDIR(st.st_mode):
58	+ os.unlink(fallback)
59	+ create = True
60	+ # Must be owned by the user and not accessible by anyone else
61	+ elif (st.st_uid != os.getuid()) \
62	+ or (st.st_mode & (stat.S_IRWXG \| stat.S_IRWXO)):
63	+ os.rmdir(fallback)
64	+ create = True
65	+
66	+ if create:
67	+ os.mkdir(fallback, 0o700)
68	+
69	return fallback

Gentoo Archives: gentoo-commits